Data retention policy
We will retain your Personal Data for a period of time that is consistent with the original purpose of the data collection, or as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.
We determine the appropriate retention period for Personal Data by considering the amount, nature and sensitivity of your Personal Data processed, the potential risk of harm from unauthorized use or disclosure of your Personal Data and whether we can achieve the purposes of the processing through other means, and on the basis of applicable legal requirements (such as applicable statutes of limitation).
Data archiving and removal policy
As an identity and security company, nothing is more important to us than protecting our customers’ sensitive data. We’re committed to the highest standards of security and availability to customers across every region, and serving the most regulated and security-conscious industries. As the identity standard, Okta maintains multiple certifications attesting to the effectiveness of Okta’s approach to security to keep your data safe and secure. You can learn more at trust.okta.com.
In order to provide customers with secure choices around how their data is stored, we are implementing the following policies in accordance with Okta’s data processing activities and ISO 27018:2019 certification:
Automatic Purging of Application Log Data
Application generated system data (as presented in Okta’s System Log) as well as reporting based on log data older than 3 months is automatically removed.
Many customers choose to integrate Okta into their security information and event management (SIEM) environment for longer retention. If you do not have a SIEM, and would like to retain this data for longer than 3 months, we recommend downloading the data from the System Log user interface. More information on exporting Okta log data can be found here.
Automatic Purging of Backup Data
Service backup data is automatically purged 6 months after it is first generated.
If you have any questions about the above security policies, please reach out to Okta Support (firstname.lastname@example.org).
Data storage policy
Security at Okta spans hiring practices, software architecture, and data center operations. Our end-to-end security strategy enables us to deliver a world-class service while protecting customer data.
We operate under a shared security responsibility model, which means:
We’re responsible for the security of the Okta Identity Cloud service and its underlying infrastructure. We’re also committed to providing you with the security features you need in a predictable and reliable manner.
Customers configure and maintain their Okta settings according to their security posture and user activity.
Okta’s data protection meets the highest industry standards, complying with FedRAMP and NIST 800-53, HIPAA, and ISO 27001 requirements. Our state-of-the-art encryption technology protects customer data both at rest and in transit to the user’s browser, leaving no weak spots for attackers.
App/service has sub-processors